Wednesday, August 3, 2011

Operating System identify Solid State Drives by querying the hard drive for its rotational speed. To be precise it is done by identification of nominal rotation rate as described in AT Attachment – 8 ATA/ATAPI Command Set (ATA8-ACS).

If 0001h value is returned, Windows 7 for example turns on TRIM support and disables defragmentation. Furthermore, to reduce the frequency of writes and flushes, Windows 7 in addition to boot and application launch prefetching also disables services such as ReadyBoost and Superfetch. As far as I am aware Windows XP or Windows Vista cannot differentiate SSDs from hard drives. The following file systems are known to be TRIM supported by its respective Operating Systems: NTFS, HFS+, EXT4, Btrfs. Here I should mention that modern Linux and Apple OSX support TRIM commands as well. TRIM functionality can also be implemented independently of the operating system. The O&O Defrag for example enables TRIM operations for FAT32 and exFAT formatted SSD’s.

It should be noted that Windows 7 sends the TRIM command to the SSD not only when file gets deleted or partition gets formatted, but in several other instances as described in Support and Q&A for Solid-State Drives blog post.

"The Trim operation is fully integrated with partition- and volume-level commands like Format and Delete, with file system commands relating to truncate and compression, and with the System Restore (aka Volume Snapshot) feature."

A quick format is all that is required to trigger the TRIM command on SSD and all data will be erased (zeroed out). Speaking about formatting, there has been not much difference between the Quick and Full format options in pre-Vista Windows machines. The only difference between the two was that full format also scanned for bad sectors. The data could still be recovered from formatted drives. Since Windows Vista a full format erases all data and writes zeros and completely destroying the old data. The same applies to Windows 7 and my tests confirmed this.

TRIM can be enabled and disabled manually. In Windows 7 to check TRIM status, as Administrator in the command prompt window, enter the following:

To my knowledge TRIM is not yet supported in RAID volumes. Recently there has been some confusing on this topic in relation to Intel Rapid Storage Technology supporting TRIM for RAID volumes. Intel had to publish a correction that TRIM is only supported in AHCI and RAID modes for drives that are not part of a RAID volume.

Not all SSD’s support the TRIM command; some manufacturers do not even recommend enabling TRIM. Sandforce and OCZ recommend against enabling TRIM in the Mac OS (due to Apple's implementation of TRIM) and discourage using TRIM on controllers with internal low-level compression (due to the way they operate/built).

TRIM + Encryption, a topic worth its own cookbook, so I am going to only lightly touch on it. In my previous post I have mentioned that Apple OS X Lion “FileVault 2” enables whole-disk encryption. It is certainly a big step forward compared to “FileVault 1”; however this needs to be clarified a bit. “FileVault 2” is VOLUME based encryption. For example NTFS, FAT/FAT32 or exFAT partitions located on the same drive will not be encrypted. A recovery partitions also cannot be encrypted by “FileVault 2”. TRIM is believed to be supported on “FileVault 2” encrypted drive. The TRIM command also works on NTFS file system encrypted with Bitlocker and TrueCrypt . TrueCrypt has issued several security warnings in relation to Wear-levelling security issues and the TRIM command revealing information about which blocks are in use and which are not. (Trim Operation Link & Wear-Leveling Link) PGP WDE doesn’t support TRIM, but I remember someone has mentioned that with CLI is possible to encrypt only used sectors. It is likely that the same security issue would arise as in case of TrueCrypt.

Search other Digital Forensics blogs

About Me

Forensic Technology professional with diverse international experience managing and conducting Digital Investigations in both large and small organisations. A passionate computer security and digital forensics professional.

Disclaimer

This blog is intended for my digital forensic needs and shared with everyone interested to make our world a little bit safer. This is a personal weblog. The opinions expressed here represent my own and not those of my employer.
While all reasonable attempts have been made to ensure the accuracy of information on this blog, neither myself nor the blog’s contributors can be held responsible for any errors, inaccuracies, or incomplete information contained therein.
I reserve the right to correct, change, or update any information on this blog at any time without prior notice.